May 13, 2022 By David Kliemann 4 min read

A few key takeaways that are critical to protecting business outcomes for today’s modern enterprises.

As companies continue to embrace the cloud, security threats have become more advanced as the digital landscape evolves. Understanding security needs and requirements for keeping data safe is paramount. Without taking active steps to improve cloud security, organizations can face significant governance and compliance risks when managing sensitive information, regardless of where it is stored. Cloud security should be an important consideration regardless of the size of your enterprise, and cloud security solutions and best practices are a necessity when helping ensure business resilience.

As part of IBM Cloud’s partnership with the Cloud Security Alliance (CSA), I recently had the opportunity to participate as a panel member in two CSA Regional events that were designed to bring cloud cybersecurity professionals together to share case studies, lessons learned and new technologies that promote secure implementation of cloud computing. The following are key takeaways critical to protecting business outcomes for today’s modern enterprises.

Organizations need to have a comprehensive cloud strategy to be successful

More and more, institutions are adopting hybrid multicloud approaches to their IT infrastructures, driven by increased flexibility, cost reduction and improved capabilities. In the early days of cloud computing, lift-and-shift migration was seen as a viable option, but as cloud architectures and solutions have evolved, the value of migrating an application “as is” has lowered drastically. Now, lift and shift should only be used when absolutely necessary to migrate to the cloud, because it often causes long-term issues. In today’s layered and complex environments, thinking strategically in terms of a hybrid multicloud approach is a key part of digital transformation.

In a recent CSA study, only 25% of organizations said they have a hybrid multicloud approach, even though the reality is most organizations utilizing third- and fourth-party providers are already operating on some form of hybrid multicloud. Many organizations lack visibility into third-party situations; your IT teams may not be the only ones making the choice of where SaaS solutions are based due to lack of clarity around the true scope of the technology environment.

Automation is necessary to maintain security and compliance

The scalability and continual change in cloud environments mean that manual efforts are expensive and infeasible, especially for highly regulated industries like the financial sector. In order to mitigate these difficulties, organizations should look into the concept of policy-as-code to help define and automate the rules and conditions that govern IT processes.

IBM Cloud for Financial Services is an example of policy-as-code in action, providing a single framework of controls that applies across the entire ecosystem tailored to the unique requirements of the financial services industry. This includes IBM Cloud services, financial institution (FI) clients and third-party Fintechs and SaaS providers. The reference architectures have the controls built into scripts so they are automatically applied to new workloads, creating secure landing zones that reduce the potential risk of misconfigurations. FIs are also able to continuously monitor the security and compliance posture of their cloud services and partner applications and services with the IBM Cloud Security and Compliance Center. With these capabilities, IBM Cloud for Financial Services creates a standardized set of security and compliance controls that are automatically applied and monitored in real-time.

Zero trust is a key part of ensuring your data and workloads are secure in the cloud

Rapid digitization and the move to hybrid multicloud have spread users, data and resources across the globe, making it difficult to connect them quickly and securely. When dealing with on-premises data centers, there was a clear perimeter to assess and enforce the trustworthiness of connections, but this current ecosystem requires a different approach. Organizations are turning to zero trust to ensure all data and resources are inaccessible by default and can only be accessed on a limited basis and under the right circumstances.

But what exactly is zero trust? Zero trust is not a single “tool” you can buy; rather, it is a holistic approach to integrate traditionally siloed security tools to define, create and enforce fine-grained connections between the users, data and resources in today’s business environments. There are four guiding principles to keep in mind to ensure zero trust success:

  1. Define trust: Understand users, data and resources to create coordinated security policies aligned with the business.
  2. Verify and enforce trust: Secure the organization and grant conditional access without friction by quickly and consistently validating context and enforcing policies.
  3. Rebuild trust: Resolve security violations with minimal impact to business by taking targeted actions.
  4. Analyze and improve trust: Continually improve security posture by adjusting policies and practices to make faster, more informed decisions.

Enacting zero trust in your organization through the lens of these principles and tailored capabilities will help keep your users, data and resources connected securely and your business operating smoothly. 

Incident response preparedness is crucial

Although the goal is always to keep bad actors away from sensitive data and workloads, no security strategy is 100% watertight. As businesses and industries quickly modernize, the cost of security breaches and risk of attack vectors have gone up exponentially. Any organization — big or small — must be prepared to respond to possible incidents. What your security and technology teams need to do may be similar to on-prem attacks, but how they do it may be different when dealing with complex cloud environments.

Train your teams — there’s a reason that the military spends so much time and effort conducting exercises. You don’t want the first time you have to do something to be in the middle of a crisis. It is important to stress test your incident response (IR) plans to increase your cyber resilience. There are many ways organizations can approach forming IR teams and strategies, from engaging non-profits like CSA to working with IR firms like IBM’s X-Force team. Creating the right approach depends on the unique size, complexity and regulatory requirements of your organization.

Start your cloud security journey with IBM

By adhering to these key considerations into your cloud security strategy, organizations can achieve a more effective and holistic approach to cloud security, ultimately allowing greater focus on business outcomes and innovation. Industry events like these regional Cloud Security Alliance summits are excellent opportunities to get perspectives across the cybersecurity, technology and cloud disciplines and to increase our collective learning of what helps create secure, risk-managed cloud environments.  This helps enable organizations across numerous industries to accelerate their digital transformation in a secure and compliant manner. IBM has had a long-standing relationship with the Cloud Security Alliance, and we continue to prioritize the safety and security of the cloud space as capabilities and technologies evolve.

IBM Cloud provides end-to-end security capabilities and customizable solutions to help manage your data, all backed by expert support. IBM Cloud for Financial Institutions, a first-of-its-kind public cloud developed for the industry, has specific security and controls capabilities required to help clients reduce risk and accelerate cloud adoption, for even their most sensitive workloads.

For more information:

Was this article helpful?

More from Cloud

A clear path to value: Overcome challenges on your FinOps journey 

3 min read - In recent years, cloud adoption services have accelerated, with companies increasingly moving from traditional on-premises hosting to public cloud solutions. However, the rise of hybrid and multi-cloud patterns has led to challenges in optimizing value and controlling cloud expenditure, resulting in a shift from capital to operational expenses.   According to a Gartner report, cloud operational expenses are expected to surpass traditional IT spending, reflecting the ongoing transformation in expenditure patterns by 2025. FinOps is an evolving cloud financial management discipline…

IBM Power8 end of service: What are my options?

3 min read - IBM Power8® generation of IBM Power Systems was introduced ten years ago and it is now time to retire that generation. The end-of-service (EoS) support for the entire IBM Power8 server line is scheduled for this year, commencing in March 2024 and concluding in October 2024. EoS dates vary by model: 31 March 2024: maintenance expires for Power Systems S812LC, S822, S822L, 822LC, 824 and 824L. 31 May 2024: maintenance expires for Power Systems S812L, S814 and 822LC. 31 October…

24 IBM offerings winning TrustRadius 2024 Top Rated Awards

2 min read - TrustRadius is a buyer intelligence platform for business technology. Comprehensive product information, in-depth customer insights and peer conversations enable buyers to make confident decisions. “Earning a Top Rated Award means the vendor has excellent customer satisfaction and proven credibility. It’s based entirely on reviews and customer sentiment,” said Becky Susko, TrustRadius, Marketing Program Manager of Awards. Top Rated Awards have to be earned: Gain 10+ new reviews in the past 12 months Earn a trScore of 7.5 or higher from…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters